From 70b62e9f769527786868dc966d8fddba27ec6116 Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 31 Jan 2023 03:28:59 +0000 Subject: [PATCH] persist stores: define the path for `private` at the host level --- hosts/common/default.nix | 1 + hosts/common/persist.nix | 7 +++++++ modules/persist/stores/plaintext.nix | 2 +- modules/persist/stores/private.nix | 31 ++++++++++++++-------------- 4 files changed, 25 insertions(+), 16 deletions(-) create mode 100644 hosts/common/persist.nix diff --git a/hosts/common/default.nix b/hosts/common/default.nix index b7114134..19bbd329 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -10,6 +10,7 @@ ./ids.nix ./machine-id.nix ./net.nix + ./persist.nix ./secrets.nix ./ssh.nix ./users.nix diff --git a/hosts/common/persist.nix b/hosts/common/persist.nix new file mode 100644 index 00000000..21391c3b --- /dev/null +++ b/hosts/common/persist.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sane.persist.stores.private.origin = "/home/colin/private"; + # store /home/colin/a/b in /home/private/a/b instead of /home/private/home/colin/a/b + sane.persist.stores.private.prefix = "/home/colin"; +} diff --git a/modules/persist/stores/plaintext.nix b/modules/persist/stores/plaintext.nix index 4067cce8..de511b88 100644 --- a/modules/persist/stores/plaintext.nix +++ b/modules/persist/stores/plaintext.nix @@ -3,7 +3,7 @@ let cfg = config.sane.persist; in lib.mkIf cfg.enable { - sane.persist.stores."plaintext" = { + sane.persist.stores."plaintext" = lib.mkDefault { origin = "/nix/persist"; }; # TODO: needed? diff --git a/modules/persist/stores/private.nix b/modules/persist/stores/private.nix index 1b3a1822..7be57824 100644 --- a/modules/persist/stores/private.nix +++ b/modules/persist/stores/private.nix @@ -1,21 +1,22 @@ -{ config, lib, pkgs, utils, ... }: +{ config, lib, pkgs, sane-lib, utils, ... }: +let + private-dir = config.sane.persist.stores."private".origin; + private-backing-dir = sane-lib.path.concat [ "/nix/persist" private-dir ]; +in lib.mkIf config.sane.persist.enable { sane.persist.stores."private" = { storeDescription = '' - encrypted to the user's password and auto-unlocked at login + encrypted store which persists across boots. + typical use case is for the user to encrypt this store using their login password so that it + can be auto-unlocked at login. ''; - origin = "/home/colin/private"; - # files stored under here *must* have the /home/colin prefix. - # internally, this prefix is removed so that e.g. - # /home/colin/foo/bar when stored in `private` is visible at - # /home/colin/private/foo/bar - prefix = "/home/colin"; + origin = lib.mkDefault "/mnt/private"; defaultOrdering = let - private-unit = config.sane.fs."/home/colin/private".unit; + private-unit = config.sane.fs."${private-dir}".unit; in { - # auto create only after ~/private is mounted + # auto create only after the store is mounted wantedBy = [ private-unit ]; # we can't create things in private before local-fs.target wantedBeforeBy = [ ]; @@ -23,13 +24,13 @@ lib.mkIf config.sane.persist.enable defaultMethod = "symlink"; }; - fileSystems."/home/colin/private" = { - device = "/nix/persist/home/colin/private"; + fileSystems."${private-dir}" = { + device = private-backing-dir; fsType = "fuse.gocryptfs"; options = [ "noauto" # don't try to mount, until the user logs in! "nofail" - "allow_other" # root ends up being the user that mounts this, so need to make it visible to `colin`. + "allow_other" # root ends up being the user that mounts this, so need to make it visible to other users. "nodev" "nosuid" "quiet" @@ -39,9 +40,9 @@ lib.mkIf config.sane.persist.enable }; # let sane.fs know about the mount - sane.fs."/home/colin/private".mount = {}; + sane.fs."${private-dir}".mount = {}; # it also needs to know that the underlying device is an ordinary folder - sane.fs."/nix/persist/home/colin/private".dir = {}; + sane.fs."${private-backing-dir}".dir = {}; # TODO: could add this *specifically* to the .mount file for the encrypted fs? system.fsPackages = [ pkgs.gocryptfs ]; # fuse needs to find gocryptfs